incident-response-planner
Incident Response Planner - Auto-activating skill for Security Advanced. Triggers on: incident response planner, incident response planner Part of the Security Advanced skill category.
36
Quality
3%
Does it follow best practices?
Impact
97%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/04-security-advanced/incident-response-planner/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder with no substantive content. It fails to describe any concrete capabilities, lacks natural trigger terms users would actually say, and provides no guidance on when Claude should select this skill. The repeated trigger term and boilerplate category reference provide minimal value for skill selection.
Suggestions
Add specific capabilities the skill provides, such as 'Creates incident response playbooks, defines escalation procedures, documents containment and recovery steps, assigns response team roles'.
Include a 'Use when...' clause with natural trigger terms like 'security incident', 'breach response', 'IR plan', 'incident playbook', 'security emergency', 'incident handling procedures'.
Differentiate from other security skills by specifying the unique focus on response planning versus detection, prevention, or analysis.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions whatsoever. It only states the skill name and category without describing what the skill actually does (e.g., create runbooks, define escalation procedures, document response steps). | 1 / 3 |
Completeness | The description fails to answer 'what does this do' (no capabilities listed) and 'when should Claude use it' (no explicit use-case guidance beyond the redundant trigger phrase). Both components are missing or very weak. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'incident response planner' repeated twice. This lacks natural variations users might say like 'security incident', 'breach response', 'incident playbook', 'IR plan', or 'security emergency procedures'. | 1 / 3 |
Distinctiveness Conflict Risk | While 'incident response planner' is somewhat specific to security domain, the lack of detail about what distinguishes this from other security skills (threat modeling, vulnerability assessment, etc.) creates potential overlap within the Security Advanced category. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially an empty placeholder with no actual incident response content. It consists entirely of generic meta-descriptions about what the skill claims to do, without providing any actionable guidance, procedures, checklists, or examples that would help Claude perform incident response planning tasks.
Suggestions
Add concrete incident response phases with specific steps (e.g., detection checklist, containment procedures, communication templates)
Include executable examples such as log analysis commands, IOC detection scripts, or incident classification criteria
Provide incident response playbook templates or reference specific frameworks (NIST 800-61, SANS) with actionable implementation guidance
Add validation checkpoints for each phase (e.g., 'Before proceeding to containment, verify: scope identified, stakeholders notified, evidence preserved')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing Claude doesn't already know. Phrases like 'provides automated assistance' and 'follows industry best practices' are meaningless filler with no actual incident response content. | 1 / 3 |
Actionability | There is zero concrete guidance - no code, no commands, no specific steps, no actual incident response procedures. The entire skill describes what it claims to do rather than providing any executable instructions. | 1 / 3 |
Workflow Clarity | No workflow is defined whatsoever. For incident response planning, there should be clear phases (preparation, detection, containment, eradication, recovery, lessons learned) with specific steps and validation checkpoints. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no structure pointing to detailed materials. There are no references to playbooks, runbooks, or detailed procedures that would be essential for incident response. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.